skill-veil-core 0.2.0

Core library for skill-veil behavioral analysis
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

//! Policy generation and stable public policy contract.

pub(crate) mod baseline;
pub(crate) mod disposition;
mod eval;
pub(crate) mod fingerprint;
pub(crate) mod reports;
pub(crate) mod sarif;
pub(crate) mod serializers;
pub(crate) mod state;
pub(crate) mod types;

use crate::findings::{OperationalContext, RecommendedAction, Severity};

pub use self::baseline::{BaselineEntry, BaselineFile, WaiverEntry, WaiverFile};
pub use self::disposition::{
    adjust_confidence, learned_allowlist, learned_confidence_adjustments, Disposition,
    DispositionOverlay, DispositionRecord,
};
pub use self::fingerprint::finding_fingerprint;
pub use self::reports::{JsonReport, PolicyGenerator};
pub(crate) use self::sarif::{
    SarifArtifactLocation, SarifConfiguration, SarifDriver, SarifLocation, SarifMessage,
    SarifPhysicalLocation, SarifRegion, SarifReport, SarifResult, SarifRule, SarifRun, SarifTool,
};
pub use self::serializers::empty_sarif_report;
pub use self::state::{
    apply_baseline, apply_policy_overrides, apply_policy_overrides_with_audit, apply_waivers,
    baseline_from_reports, count_baseline_matches, diff_reports, diff_reports_with_policy_state,
    load_baseline, load_disposition_overlay, load_policy, load_waivers, validate_policy,
    validate_waivers, PolicyLoadError,
};
pub(crate) use self::types::{default_policy_schema_version, empty_finding_summary};
pub use self::types::{
    AppliedPolicyOverride, ConfiguredProfile, ContextActionOverride, ContextPolicy, DiffEntry,
    DiffReport, PolicyAudit, PolicyFile, PolicyOverride, PolicyProfile, PolicyProfiles,
    ShieldPolicy, SuppressionSummary, POLICY_AUDIT_PRECEDENCE,
};

/// Default number of days until a shield policy expires.
pub(crate) const POLICY_EXPIRY_DAYS: i64 = 365;
/// Version string for persisted policy-related schemas.
pub const POLICY_SCHEMA_VERSION: &str = "skill-veil.dev/v1alpha1";

impl PolicyProfile {
    #[must_use]
    pub fn default_fail_on(self) -> Option<Severity> {
        match self {
            Self::Personal => Some(Severity::Critical),
            Self::Team => Some(Severity::High),
            Self::Enterprise => Some(Severity::Medium),
            Self::Research => None,
        }
    }

    #[must_use]
    pub fn default_action_for_context(self, context: OperationalContext) -> RecommendedAction {
        match self {
            Self::Personal => RecommendedAction::RequireApproval,
            Self::Team => match context {
                OperationalContext::Secrets => RecommendedAction::Block,
                _ => RecommendedAction::RequireApproval,
            },
            Self::Enterprise => match context {
                OperationalContext::Install
                | OperationalContext::Secrets
                | OperationalContext::ExternalComms => RecommendedAction::Block,
                OperationalContext::Network | OperationalContext::CodeModification => {
                    RecommendedAction::RequireApproval
                }
            },
            Self::Research => match context {
                OperationalContext::Secrets | OperationalContext::ExternalComms => {
                    RecommendedAction::RequireApproval
                }
                _ => RecommendedAction::Log,
            },
        }
    }
}

impl Default for PolicyFile {
    fn default() -> Self {
        Self {
            schema_version: self::types::default_policy_schema_version(),
            profiles: PolicyProfiles::default(),
            overrides: Vec::new(),
        }
    }
}

impl PolicyFile {
    #[must_use]
    pub fn profile_config(&self, profile: PolicyProfile) -> Option<&ConfiguredProfile> {
        match profile {
            PolicyProfile::Personal => self.profiles.personal.as_ref(),
            PolicyProfile::Team => self.profiles.team.as_ref(),
            PolicyProfile::Enterprise => self.profiles.enterprise.as_ref(),
            PolicyProfile::Research => self.profiles.research.as_ref(),
        }
    }

    #[must_use]
    pub fn resolve_fail_on(&self, profile: PolicyProfile) -> Option<Severity> {
        self.profile_config(profile)
            .and_then(|config| config.fail_on)
            .or_else(|| profile.default_fail_on())
    }

    #[must_use]
    pub fn resolve_context_action(
        &self,
        profile: PolicyProfile,
        context: OperationalContext,
    ) -> RecommendedAction {
        self.profile_config(profile)
            .and_then(|config| {
                config
                    .context_actions
                    .iter()
                    .find(|entry| entry.context == context)
                    .map(|entry| entry.action)
            })
            .unwrap_or_else(|| profile.default_action_for_context(context))
    }
}

impl Default for PolicyAudit {
    fn default() -> Self {
        Self {
            precedence_order: POLICY_AUDIT_PRECEDENCE
                .iter()
                .map(|s| (*s).to_string())
                .collect(),
            effective_fail_on: None,
            applied_overrides: Vec::new(),
        }
    }
}

pub(crate) fn context_label(context: OperationalContext) -> &'static str {
    match context {
        OperationalContext::Install => "install",
        OperationalContext::Network => "network",
        OperationalContext::Secrets => "secrets",
        OperationalContext::CodeModification => "code_modification",
        OperationalContext::ExternalComms => "external_comms",
    }
}

pub(crate) fn severity_to_sarif_level(severity: Severity) -> &'static str {
    match severity {
        Severity::Critical | Severity::High => "error",
        Severity::Medium => "warning",
        Severity::Low => "note",
    }
}

#[cfg(test)]
mod tests_filtering;
#[cfg(test)]
mod tests_generation;